QUESTION & ANSWER

SOA, Web services security gaining priority at large enterprises

By Robert Westervelt, News Editor 03 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Developers today have the tools to produce Web services and there are a multitude of unmanaged, unsecured Web services inside an organization's data center and across its application landscape. Chris Haddad, director of technical architecture, Burton Group

Talk about the evolution of SOA deployments. What stage are many enterprises in and where does security fit into the picture?
Chris Haddad: Over the last two years organizations have been in a planning phase. They've been educating themselves about the security threats and the risks that they have to mitigate against. They have been crafting a service oriented security strategy. They're understanding how their technologies could fill the gaps and when they need to purchase new infrastructure and adopt new security protocols. We've seen in the recent months where organizations are moving out of that planning phase and moving into more of a infrastructure selection and deployment phase. They have gone through an RFP phase and are actually purchasing various products to help secure their service message traffic.

What are some of the Web services security products that enterprises are considering and has security been forefront in their minds?
Haddad: Ever since we started to extend the reach of our business systems to partners, clients, and suppliers, security has been foremost because we're exposing our sensitive business assets to the outside world, outside our normal firewall. When you move towards service orientation the hard walls that you built up around your system suddenly disappear. The boundary and perimeter goes away. Organizations have been very concerned about the risks that they might introduce and have put in place additional technology to secure their service interactions such as the introduction of an [extensible markup language] XML gateway, an XML VPN, an XML firewall, into their infrastructure portfolio.

What is the vendor landscape like and what have been some of the early investments?
Haddad: We've seen significant adoption of XML gateway product offerings by enterprises. We've seen that the volume of product shift in that space has exploded dramatically during the early part of this year and will continue. A lot of the product category growth has been driven by acquisition of leading start-up vendors [such as IBM's acquisition of XML networking vendor DataPower in 2005, and Cisco Systems Inc.'s plans to acquire XML gateway vendor Reactivity Inc. for $135 million in cash, announced in February]. That has brought additional marketing and a very well equipped sales channel to sell those product offerings.

What is an XML gateway and why is it important to a company's Web services security strategy?
Haddad: An XML gateway is a hardware appliance that provides hardware assisted acceleration of encryption and digital signing capabilities. These are very expensive operations that can be offloaded from your service platform to a dedicated device. XML gateways serve as central choke points where they monitor, control and secure Web service traffic and can apply security services to that traffic such as authentication, authorization, encryption, signature processing, credential mapping, message scanning, and protection from denial of service attacks. These are very full featured, rich devices that are heavily focused on security. In addition to that, they have many other value-add capabilities such as service monitoring, provisioning of policies among clients and services, and they provide a central place to control your security posture through definition of policies in these systems that are then distributed across your endpoints as declarative policies that are enforced throughout your environment.

SOA, Web services security: Podcast: Security360 - SOA, Web Services Security: ZapThink analyst Jason Bloomberg offers an overview of the security issues unique to SOA environments, while executives from SAP and Oracle discuss how they address SOA security in their software.  SOA, Web services security hinge on XML gateways: XML security gateways could be the missing piece in most SOA deployments, says Tim Bond, a senior security engineer at webMethods Inc.  How to overcome Web services security obstacles: This presentation by Richard Mackey, principal at SystemExperts Corporation, was given at the Information Security Decisions.

Why can't Web services threats be mitigated though traditional security?
Haddad: We're looking to mitigate these attacks inside the network application platform itself. We're looking to intercept the messages before they reach our application services and inspect these messages at a level above the traditional network technologies. Rather than just having a firewall in place that understands how to prevent denial of service attacks, we're looking to inspect the XML message itself to understand the intent of the message.

Are companies beginning to deploy the WS-Security OASIS standard?
Haddad: Companies are just now adopting WS-Security as a mainstream way of doing business. It's been very difficult for organizations to adopt WS-Security in the past because the tooling to implement the specification had been fairly immature. You had to be a rocket scientist to connect up a .NET service client with a J2EE service using the specification. The introduction of Web services security products such as XML gateways and XML VPNs has enabled teams to implement the specification in a more easy manner.

What is the difference between WS-Security and SSL and are they good enough protocols for securing message traffic?
Haddad: SSL stands for secure socket layer and it's a way to encrypt message traffic between a client and a service. The encryption happens at the network layer and it's only good between a particular client and a particular server. It builds a very tight connection between the two. If the message is taken off the wire or routed to another service provider, the security context disappears. Protocols such as WS-Security enable the security context to span across multiple intermediaries who can inspect the message and might be routing and passing the message along. That's where providing a level above the network enables you to keep the encryption I place even when the message is taken off of the wire.

Tags: Web Services Security and SOA Security,  SSL and TLS VPN Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Services Security and SOA Security Security testing firm uncovers XML vulnerabilities Cryptographers say cloud computing can be secured Information security book excerpts and reviews Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? SSL and TLS VPN Security Expert calls SSL protocol vulnerability a non issue How SSL-encrypted Web connections are intercepted Best Remote Access Products How to set up a split-tunnel VPN in Windows Vista Securing the intranet with remote access VPN security A short enterprise VPN deployment guide Creating an SSL connection between servers Can S/MIME, XML and IPsec operate in one protocol layer? Can secure USB devices prevent man-in-the middle attacks How to secure SSL following new man-in-the-middle SSL attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Secure Shell  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) server accelerator card  (SearchSecurity.com) SSL VPN  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary